An unofficial blog that watches Google's attempts to move your operating system online since 2005. Not affiliated with Google.

Send your tips to gostips@gmail.com.

February 12, 2009

Gmail Tests PGP Signature Verification

Sean Leather spotted a new Gmail feature that checks if the PGP signature attached to a message is valid.

"A major benefit of public key cryptography is that it provides a method for employing digital signatures. Digital signatures enable the recipient of information to verify the authenticity of the information's origin, and also verify that the information is intact," explains PGP's documentation.


Gmail's code reveals that Google uses a Java applet to perform verification. Here are some excerpts from the code:

function zOb(a){var b=a[dd](/(-----BEGIN PGP SIGNED MESSAGE-----(.|\r?\n)*?-----END PGP SIGNATURE-----)/); ... var DOb="PGPApplet",EOb="exp/799/pgpapplet_0.jar";OZ[k].wbc=function $aRa(){var a=document[Qi](M);d(a,WNb({code:"com/google/caribou/pgp/PGPApplet.class",name:DOb,archive:EOb})); ... kOb="Click to verify PGP signature in this message.",lOb="Verify signature",RZ="vPzQab",mOb="Info",nOb="No valid PGP signature found.",oOb="Warning!",pOb="Invalid key entered.",qOb="Applet not loaded. Is Java enabled?",rOb="wrClmc",sOb="Success!",tOb="Your message was verified successfully!",uOb="Verify again",vOb="The signature was incorrect! This message may not be authentic!"

The new feature quickly vanished from Sean's account, so it's safe to assume that it's not ready to be publicly released yet. PGP signature verification is the perfect candidate to be the next Gmail Labs experiment.

Update: Expect to see this feature in Gmail Labs. Look for this image:

52 comments:

  1. Signature verification is good. Email encryption would be awesome.

    ReplyDelete
  2. Sweet! I've been waiting for that. But I must agree, that encryption support would be even better. FireGPG does a pretty good job so far though.

    ReplyDelete
  3. Nice...Gmail has been rolling out really useful features last few weeks. Really impressed. Undoubtedly its the best email client.

    ReplyDelete
  4. I haven't used signatures or message encryption yet though I a public key encryption for a college course. If GMail supported it I'd definitely start using it though.

    ReplyDelete
  5. Interesting. I wonder which keyservers do they use, or do they use their own?

    ReplyDelete
  6. GMAIL is the best email i have ever used

    ReplyDelete
  7. yeah great.
    i'waiting to kill my Freenigma firefox plugin finally :-)

    pgp signatures are the first step... and now i'm waiting to get a full encryption including attachements! :-D

    after all, i love google labs. some funny geek stuff noone needs (yay, snake!), but there are really good features! :-)

    ReplyDelete
  8. that would be an amazing new feature.

    ReplyDelete
  9. An interesting item to keep an eye on will be how Google handles any future implementation of e-mail encryption via Gmail. Specifically, whether they encrypt the contents of auto-saved drafts, which would be the obvious weak link in a Gmail-based mail encryption scheme.

    ReplyDelete
  10. I used gmail. But only use my gmail account for bisnis only not for work or daily activity..
    over all i believe with gmail.

    ReplyDelete
  11. That would be great — and having the largest provider offer it is the best booting in you can dream of. It probably precedes a full encryption system, although that might be more information-intensive. Maybe GMail offered the "disconnected" Gears tool to dispatch this additional processing to the end-machine.

    I'm not sure why I don't see it: are there any country were this might be illegal? Encryption probably is.

    ReplyDelete
  12. @Bertil:
    You don't see it because it hasn't been released it yet.

    ReplyDelete
  13. FireGPG has always given me problems with GMail in the past. (Haven't used it in a while though.) This would be great, especially if they also add an ability to sign mail in GMail - maybe even encrypt/decrypt, though most users would probably assume Google was just trying to steal their keys. cf. http://xkcd.com/538/

    ReplyDelete
  14. This would be awesome!

    ReplyDelete
  15. While it is possible to use OpenPGP and Gmail with a e-mail client program, it would be excellent if the add built in signature validation in their website.
    Or maybe they can make a plain text webmail option, in order to be able to paste an already encrypted inline message...

    ReplyDelete
  16. It is excellent to verify pgp signature of incoming Email, as this needs only the public key of the sender. However, it is not appropriate for a web mail program to sign an Email directly, as this requires the private key which is not good to be stored on Goolge server rather your own private data store.

    Having said that, I think offline mode or Browse plug-in might fill the gap.

    ReplyDelete
  17. I really like this , It would help me a lot in what I do

    ReplyDelete
  18. I can't wait for this to be out of labs and live. Perhaps the increased visibility and automatic verification would help get people interested in PGP and email encryption!!

    While it's stuck in labs, though, it will just be a toy for nerds... most of whom probably already have FireGPG installed.

    ReplyDelete
  19. It is just me or gmail searches return only starred messages?

    ReplyDelete
  20. This is very exciting. I look forward to seeing this in labs.

    ReplyDelete
  21. I m waiting for this a long time. I hope to test it soon.

    ReplyDelete
  22. PGP signature verification is in labs? where?

    ReplyDelete
  23. Right now I use the GnuPG with the FirePG (Firefox GPG Plugin) which allows Gmail to send/receive PGP email, along with verification, etc. But if GMail comes with it built in, I'm definitely on board with that!

    ReplyDelete
  24. PGP and encryption would be an excellent feature.

    ReplyDelete
  25. Any update on this in gmail yet ? Have not seen anything.
    I'd stick to full disk encryption for the laptop to start with as its more important.

    ReplyDelete
  26. hey gmail is getting advanced and good i love that new features in it

    ReplyDelete
  27. Definitively, one of the greatest feature to add would be PGP...

    Something like this would be great...

    Hi Gmail folks,
    This is a test for the most expected feature on Gmail, PGP!

    <> <> <> <>

    ReplyDelete
  28. An applet is a great approach. It offloads the work to the client where it can be most secure (even from Google's mail server).

    I wonder where and how the private key is stored. There should be a second prompt from the applet to request the password to un-encrypt the private key. In this way, the server keeps only the encrypted version for convenience.

    ReplyDelete
  29. with all of the possibilities of getting email stolen, I would love to see PGP encryption available. It would only add to the security features they already have in place.

    ReplyDelete
  30. It sounds good for signatures, but actual encryption should not be done on the google side of things. The point of pgp is that even the email provider doesn't have access to the message contents. I wouldn't use it unless my private key never leaves my hands.

    ReplyDelete
  31. hushmail uses an applet to do full OpenPGP compatible encryption / signatures. Is there any word on whether google mail will continue having at least signature verification?

    ReplyDelete
  32. Any news on on gmail PGP signature verification support?

    ReplyDelete
  33. Obviously Gmail has absolutely no interest in encrypting the contents of emails, as their whole ad rationale is based on... contents.

    ReplyDelete
  34. Its a shame that its unlikely to be implemented. How are google going to suggest relevant advertising from encrypted emails?

    ReplyDelete
  35. For the rare times that I want to encrypt a message, I'm happy to copy&paste from a terminal. But it would be awesome+1 if GMail would *sign* my messages, even if I have to generate a GMail-specific key that I don't expect to be as safe as the one on my notworked PC at home.

    ReplyDelete
  36. @Bernd +1
    I can live without encryption via the web interface, but it sure would be nice to *at* *least* have signing available.

    ReplyDelete
  37. Hi all,

    Any update with this?

    Regards

    ReplyDelete
  38. This would be nice...

    ReplyDelete
  39. Still no updates on this feature, I'm sure Google wont add the signature for us!

    ReplyDelete
  40. This would be great because it verifies authenticity of the sender. If your gmail was hacked and an bunch of email was sent out to a person. The person receiving it would not know if it was really you unless they verify your signature.

    I don't understand why Google cant have this as a common application

    ReplyDelete
  41. I have activated pop in G mail and using Thunderbird with the Enigmail extension for open-pgp.

    ReplyDelete
  42. The FBI has a back door to gmail that allow them to view and search all emails. This back door was exploited a while back by China when they were able to use gmail to find dissidents.

    Just consider any email that you send via gmail as viewable by governments and hackers (basically consider it public information).

    I suspect this is true of all email in general (through gateway sniffers). Client side pgp is the only way we will ever have our privacy back.

    ReplyDelete
  43. Google won't provide the pgp encryption because google want to see ones content. Google doesn't provide so much space for ones email account just for free - it needs to look into the stuff. Encrypting everything would render all the hosted data useless for google (not to mention us gov)

    ReplyDelete
  44. They could host the private keys that way you wouldn't relay on having you private key on every computer you use and have special addons in your favorite borwsers.

    If the private key is hosted on their site we could benifit from the encryption without keeping them from giving the backdoor to fbi and hackers.

    ReplyDelete
  45. Signing alone is of trivial value.

    Signed- and encrypted message [threads] are the grail for webmail

    Google has done little (read as: nothing) to facilitate webmail encryption


    Obviously "do no evil" is NOT synonymous with "do good"


    XMPP:obviously@chatme.im

    ReplyDelete
  46. AGP in K9 on android is slow grinding in a positive direction.

    FireGPG seemed like a good plan until
    http://blog.getfiregpg.org/2010/06/07/firegpg-discontinued/

    there's a new masokidsm [sic] on the block
    http://gnupg.org/



    @ july 14 2011
    gmail OUGHT neither generate- nor store one's PRIVATE key

    wolf in the sheeple house and whatnot




    XMPP:obviously@chatme.im

    ReplyDelete
  47. Any update on this? I'd love to have this!

    ReplyDelete
  48. Well considering that google can't even figure out how to alphabetise youtube playlists ... I'm not holding out much hope.

    ReplyDelete
  49. Check out this free & open source tool for easy to use Pretty Good Privacy in Gmail.
    https://sourceforge.net/projects/safegmail/?source=directory

    ReplyDelete